Identify Attack Surface using Source Code

In Web Application Security testing, it is very important to identify all the entry points or injection points by analyzing all the HTTP requests and responses to conduct the security test for various injection vulnerabilities like SQLi, XSS, LFI, IDOR, etc...

Identifying every parameter and form field manually is a time-consuming task because we have to pay attention to all the GET-based and POST-based requests to identify the parameters and form fields passed to the application and also maintain the lists to take notes of all the parameters.

But if we have access to the source code, then we can identify parameters by analyzing the source code using OWASP Attack Surface Detector.

What is OWASP Attack Surface Detector?

OWASP Attack Surface Detector tool analyzes the source code to identify a web application's endpoints, the parameters that these endpoints take, and the data type of those parameters. This includes endpoints that are not linked, which a spider/crawler is not able to detect, or optional arguments that are never utilized in client-side code. It can also determine how the attack surface has changed between the two versions of the application. 


How to use OWASP Attack Surface Detector?

OWASP attack surface detector is a command-line tool that takes the source code folder as input and outputs the set of endpoints/parameters detected within that codebase. The endpoints are output to the console by default, but by using the -output-file and -JSON flags, we can also save the results in JSON format.

OWASP attack surface detector Supports the following frameworks

  • ASP.NET MVC / Web API / Core / Web Forms
  • Struts
  • Django
  • Ruby on Rails
  • Spring MVC
  • JSP

Now, we will provide an example of OWASP attack surface detector using OWASP RailsGoat source code (built on Ruby on Rails)

Step 1: Download the OWASP attack surface detector .jar file 

Step 2: Clone OWASP RailsGoat source code

Step 3: Run OWASP attack surface detector
Command: java -jar attack-surface-detector-cli-1.3.8.jar railsgoat/ -full-json -output-file=./result.json

Syntax: java -jar attack-surface-detector-cli-1.3.8.jar <source-code-path> -full-json -output-file=<PATH>

-full-json: Print full JSON information to the console
-output-file: Writes generated JSON to the specified file path

Step 4: Print JSON result in Pretty format
            Command: cat result.json | jq

Sahil Gupta

Application Security | DevSecOps | Secure SDLC | Penetration Tester (Web and API) | CEHv10 | IBM Certified Cybersecurity Analyst Professional

Previous Post Next Post

Contact Form